W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: CSP: Drop IP-matching? (was Re: [CSP] URI/IRI normalization and comparison)

From: Mike West <mkwst@google.com>
Date: Thu, 29 Jan 2015 10:46:34 +0100
Message-ID: <CAKXHy=dJFSGSg9f9B6Bkf6OxZjYwL1k3oweGRWCPMCi=Ze5BAQ@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Brian Smith <brian@briansmith.org>, Brad Hill <hillbrad@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 29, 2015 at 10:42 AM, Joel Weinberger <jww@chromium.org> wrote:

> Not to add too much fuel to the fire here, but what if, for cleanliness,
> the spec did not allow *any* IP address, but did specify that user agents
> treat a src of localhost as equivalent to 127.0.0.1 and ::1?
>

If we decide to restrict IP addresses, that seems like a fine way of doing
it.

For me, the question is whether the window has already closed in which we
could have created such a restriction. Given that we've been shipping with
IPv4 support for ~2 years, it wouldn't surprise me if applications had come
to depend in one way or another on the behavior.

As I mentioned in an earlier email, data would help here.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 29 January 2015 09:47:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC